less than 1 minute read

In this video we talk about how to do in-place file hash comparison from a disk image. We use the Sleuthkit and CoreUtils on Windows to extract file data, create an MD5 hash of the file data and use hfind to search a hash database.

Specifically, we analyze an Expert Witness File (E01). First we use mmls to extract partition information from the physical disk image. From that we can extract the partition offset. With the partition offset, we can use FLS to list the files in the partition. We show how to use icat and fcat to extract file data using the file inode or the file name. We feed the icat output into md5sum (coreUtils) and cut everything except the md5 hash value. Finally, we pipe the hash value into hfind (sleuthkit) to search whether the hash value is in the known database.